A practicing CISO's perspective on managing information security in large enterprises.

Wednesday, April 8, 2009

Scareware and the Digital Divide

Today Microsoft's Security Intelligence Report came out with the news that "rogue security software" is on the rise. This will come as absolutely no surprise for those of us who have spent a Sunday afternoon trying to rid their friend/grandmother/brother-in-law/neighbor/cousin's PC of the latest AntiSpyware1-ish rogue security software.

For those of you that haven't had the pleasure, these programs infect a PC either by stealth or by inducing a user to click on a pop-up ("You're computer is not running at optimal speed. Click here to fix this issue"). Once installed, scareware basically hold your computer hostage with gazillions of warnings and pop-ups until you buy their "security" product. Depending on your definitions, scareware can be seen as a special case of phishing.

These rogue anti-virus programs have an enormous indirect cost to society by cementing the digital divide. Users who were already wary of computers are tempted to throw in the towel when confronted with persistent security warnings that they neither understand nor can do anything about. Scareware is only a nuisance to advanced users but is a real show stopper for the least technical and disenfranchised users.

The Microsoft report underscores this fact. The results imply that keeping your computer and applications updated and exercising some caution with your surfing and downloading are a fairly strong defense against getting rogue security software. Unfortunately, the less tech-savvy a user is, the less likely they are to be able to do either of these things. Advanced users usually have properly configured System Restore options on their computer, which can address most (though not all) of these programs. Less advanced users either do not have these configured or don't know how to use them.

Going after scareware is tough for all the usual reasons that fraud can thrive on the Internet - the ability for perpetrators to cover their tracks, jurisdiction problems, cost of investigation, and so forth. But to prosecute scareware peddlers you also need to prove that the product is actually a fraud. I haven't seen much case law on this topic, but I can imagine that a lot of it falls more under the FTC-deceptive-practice umbrella than total criminality. After all, any one who has tried to remove some of the older versions of Norton anti-virus from their computer knows that they don't go down without a fight. Where is the line between aggressive market positioning and fraud?

All of this does not bode well for the fight against scareware. Unlike traditional spam, scareware is amazingly effective with response rates in the high single digits. And because it mainly victimizes the end user - unlike say click through fraud which eventually costs everyone money - we are unlikely to see any particular industry move to seriously address this issue.

Back in the Middle Ages of the Internet in the early 2000's, I was a member of the eEurope 2005 Advisory Group that advised the European Commission on Internet policy. The roughly 30 members of this group included a motley crew of former government ministers, professors, subject-matter experts and CEOs. Back then physical access and so-called eInclusion were the primary focus of this group as they were seen as the prime barriers to participation. Today physical access has for the most part been commodotized in the western world. The overall effect of the Internet has been overwhelmingly inclusive for previously disadvantaged groups. But the so-called security tax has fallen disproportionately on people who lack basic Internet skills to begin with.